I would like to create a firewall rule in Group Policy that explicitly denies connections from international locations, but doesn't automatically allow all local traffic either. In short, I want the firewall policy to remain as it is for local connections (i.e. connections from within the same country), but to deny all inbound connections from international locations - but still allow international outbound connections - I'm not sure if this makes sense.

Basically, what I want to accomplish is this: When someone initiates a connection to any of the servers in the group, the server should first check if the originating IP address falls within the allowed IP blocks (which I will define). If it does, then the normal firewall and access rules should apply. On the other hand, if the originating IP falls outside of the allowed IP blocks, then the request should simply be ignored or denied. However, this rule should only apply for inbound traffic - the servers still need international access for outgoing traffic (such as downloading patches, sending email, etc.).

So far I have only been able to create a rule that denies international traffic, but then allows all local traffic - as opposed to applying the normal firewall policy to local traffic.

I use pfSense for my firewall, and it has a package called Country Block which allows me to block incoming traffic based on the country of origin. Of course, a smart hacker could find ways around this but it works well for the majority.

You can't block inbound international (or whatever) traffic and still connect to international servers for outbound. When you connect to them they will send data back to you but your firewall rules will block it because you told it to, hence you will never successfully connect to those addresses. Basically saying I don't want to talk to you, wait yes I do, er no I don't. Either you do or don't, cannot have it both ways.

Well, the first question will be... what firewall do you have? Are you talking about the Windows firewall? If so, why do any of your Windows boxes talk to the outside world directly?

Yes, I am talking about the Windows firewall. The group of servers are hosted in a data centre, which is why they have direct internet connectivity. Although there is a hardware firewall option at present, I am trying to circumvent it because of the sheer amount of ports that NEED to be open. I have little control over why all these ports need to be open, but there are a few thousand of them - when you combine all open ports for all servers, although they do not all need the same ports opened.

Also, I am not sure which make or model the hardware firewall is, I only have control panel access to the settings - so I am unable to give any details on this. Furthermore, when a port is opened on the hardware firewall it is opened for the entire VLAN. If I open port 80 for one server, it will be open for all servers in the group - whereas with group policy I will be able to create a policy for each type of server.

You can't block inbound international (or whatever) traffic and still connect to international servers for outbound. When you connect to them they will send data back to you but your firewall rules will block it because you told it to, hence you will never successfully connect to those addresses. Basically saying I don't want to talk to you, wait yes I do, er no I don't. Either you do or don't, cannot have it both ways.

This is a good point, thanks. I will have to add the international IPs (that they need access to) to the block of allowed IPs.

While I'm happy with Windows Firewall for most computers, I don't think it would be best for long-term direct Internet exposure. I don't have any that come to mind, but I'd recommend finding a software-based firewall that has some type of intrusion prevention system built-in.

1

This discussion has been inactive for over a year.

You may get a better answer to your question by starting a new discussion.